Two settings-equivalent consumers, only one works


I’ve been beating on this one for around 24 solid, but have yet to find a similar enough report or a resolution.

Here’s the rough breakdown:

  • I’m developing a web application using Devise and omniauth-twitter.

  • I registered Consumer A so the web application that I’m developing can use Twitter for registration/login.

  • This web application has been deployed to a staging server for hands-on clicking-around testing. Everything works smashingly.

  • The client has registered Consumer B for the full production deployment due to branding and ownership concerns. Save for the branding and the callback URL, the settings match Consumer A exactly.

  • The web application has been deployed to a production server using the key/secret for Consumer B. Twitter interactions return either session_expired or invalid_credentials to the web app.

  • Changing the production config to use the key/secret for Consumer A causes the Twitter interactions to magically start working.

Given two consumers with identical permissions and whatnot, what might cause one to be usable, but not the other?


Where are you getting the session_expired error from? That doesn’t sound like it’s coming from Twitter.

Have you tried a third set of keys to further narrow the problem down to Consumer B? It certainly can happen where an application gets stubborn and refuses to auth correctly, but it’s a rate condition.

I would get down to a level where you’re logging the exact outbound URLs and HTTP headers being executed and the responses you’re getting back. If possible, drill down into the signature base string and signing keys – maybe you’re using consumer A’s secret with consumer B or some other minor gotcha.